Data Breach

Capital One discovered more customers’ SSNs exposed in 2019 hack

More clients of Capital One have been impacted in the 2019 data breach, the US bank is notifying them of their SSNs exposure.

US bank Capital One notified a number of additional customers that their Social Security numbers were exposed in the data breach that took place in July 2019.

A hacker that was going online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.

Law enforcement arrested the hacker Paige A. Thompson for the security breach.

Paige Thompson is a former Amazon Web Services software engineer who worked for a Capital One contractor from 2015 to 2016.

THOMPSON posted about the Capital One hack on GitHub, she exploited a misconfigured web application firewall to get access to the data.  On July 17, 2019, Capital One was informed of the incident by a GitHub user who saw the post.  On July 19, 2019, that financial institution discovered the intrusion and informed the FBI.

Capital One immediately fixed the configuration issue exploited by the hacker.

Paige A. Thompson was charged with computer fraud and abuse in U.S. District Court in Seattle.

The security breach data breach took place on March 22nd and 23rd, the hacker accessed information of customers who had applied for a credit card between 2005 and 2019.

“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.states a press release published by Capital One.Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Securitynumbers were not compromised.”

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.”

Exposed data includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Attackers also obtained portions of credit card customer data, including: 

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The hacker accessed bank account numbers and Social Security numbers only for a limited number of customers:

  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

Now Capital One while analyzing data stolen during the 2019 security breach with the help of a third-party expert, discovered that intruders gained access to some of its customers’ SSNs.

“Recently, Capital One re-examined the files that were impacted by the 2019 data security incident using new and more advanced tools. As part of this analysis, we determined that your Social Security number was among the data to which the unauthorized individual gained access.” reads the letter sent by the bank to the impacted customers.

Capital One estimated the overall economic impact of the data breach at $100-$150 million.

In 2020, Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC) for having failed to protect data of its customers.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Capital One)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.